Configuring Certificate Enrollment or Autoenrollment
12. password string
13. rsakeypair key-label key-size encryption-key-size ]]
14. fingerprint ca-fingerprint 15. on devicename :
16. exit
17. crypto pki authenticate name 18. exit
19. copy system:running-config nvram:startup-config 20. show crypto pki certificates
DETAILED STEPS
Purpose Command or Action
Enables privileged EXEC mode.
enable Step 1
Example:
Router> enable
• Enter your password if prompted.
Enters global configuration mode.
configure terminal Example:
Router# configure terminal
Step 2
Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.
crypto pki trustpoint name Example:
Router(config)# crypto pki trustpoint mytp
Step 3
Configuring Certificate Enrollment for a PKI Configuring Certificate Enrollment or Autoenrollment
Purpose Command or Action
Specifies the URL of the CA on which your router should send certificate requests.
enrollment [mode | retry period minutes | retry count number] url url [pem]
Step 4
• mode --Specifies RA mode if your CA system provides an RA.
Example:
Router(ca-trustpoint)# enrollment url http://cat.example.com
• retry period minutes --Specifies the wait period between certificate request retries. The default is 1 minute between retries.
• retry count number -- Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. (Specify from 1 to 100 retries.)
• url url -- URL of the file system where your router should send certificate requests. An IPv6 address can be added in the URL enclosed in brackets.
For example: http:// [2001:DB8:1:1::1]:80. For more enrollment method options, see theenrollment url (ca-trustpoint)command page.
• pem -- Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
An enrollment method other than TFTP or manual cut-and-paste must be configured to support autoenrollment.
Note
(Optional) Configures the trustpoint to use an Elliptic Curve (EC) key on which certificate requests are generated using ECDSA signatures. The label argument eckeypair label
Example:
Router(ca-trustpoint)# eckeypair Router_1_Key
Step 5
specifies the EC key label that is configured using the crypto key generate rsa or crypto key generate ec keysize command in global configuration mode. See the Configuring Internet Key Exchange for IPsec VPNs feature module for more information.
If an ECDSA signed certificate is imported without a trustpoint configuration, then the label defaults to the FQDN value.
Note
(Optional) Specifies the requested subject name that will be used in the certificate request.
• x.500-name --If it is not specified, the fully qualified domain name (FQDN), which is the default subject name, will be used.
(Optional) Specifies the the VRF instance in the public key infrastructure (PKI) trustpoint to be used for enrollment, certificate revocation list (CRL) retrieval, and online certificate status protocol (OCSP) status.
vrf vrf-name Example:
Router(ca-trustpoint)# vrf myvrf
Step 7
(Optional) Includes the IP address of the specified interface in the certificate request.
ip-address {ip-address | interface | none}
Step 8
Example:
Router(ca-trustpoint)# ip address 192.168.1.66
• Issue the ip-address argument to specify either an IPv4 or IPv6 address.
• Issue the interface argument to specify an interface on the router.
• Issue the none keyword if no IP address should be included.
Configuring Certificate Enrollment for a PKI
Configuring Certificate Enrollment or Autoenrollment
Purpose Command or Action
If this command is enabled, you will not be prompted for an IP address during enrollment for this trustpoint.
Note
(Optional) Specifies the router serial number in the certificate request, unless the none keyword is issued.
serial-number [none]
Example:
Router(ca-trustpoint)#
serial-number
Step 9
• Issue the none keyword to specify that a serial number will not be included in the certificate request.
(Optional) Enables autoenrollment, allowing the client to automatically request a rollover certificate from the CA.
auto-enroll [percent] [regenerate]
Example:
Router(ca-trustpoint)#
auto-enroll regenerate
Step 10
• If autoenrollment is not enabled, the client must be manually re-enrolled in your PKI upon certificate expiration.
• By default, only t he Domain Name System (DNS) name of the router is included in the certificate.
• Use the percent argument to specify that a new certificate will be requested after the percentage of the lifetime of the current certificate is reached.
• Use the regenerate keyword to generate a new key for the certificate even if a named key already exists.
If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable: “! RSA key pair associated with trustpoint is exportable.”
Note
It is recommended that a new key pair be generated for security reasons.
Note
(Optional) Specifies the intended use for the certificate.
usage method1 [method2 [method3]]
Step 11
Example:
Router(ca-trustpoint)# usage ssl-client
• Available options are ike, ssl-client, and ssl-server; the default is ike.
(Optional) Specifies the revocation password for the certificate.
password string Step 12
Example:
Router(ca-trustpoint)# password string1
• If this command is enabled, you will not be prompted for a password during enrollment for this trustpoint.
When SCEP is used, this password can be used to authorize the certificate request--often via a one-time password or similar mechanism.
Note
(Optional) Specifies which key pair to associate with the certificate.
rsakeypair key-label key-size encryption-key-size ]]
Step 13
• A key pair with the key-label argument will be generated during enrollment if it does not already exist or if the auto-enroll regenerate command was issued.
Example:
Router(ca-trustpoint)# rsakeypair
key-label 2048 2048 • Specify the key-size argument for generating the key, and specify the encryption-key-size argument to request separate encryption, signature
Configuring Certificate Enrollment for a PKI Configuring Certificate Enrollment or Autoenrollment
Purpose Command or Action
keys, and certificates. The key-size and encryption-key-size must be the same size. Length of less than 2048 is not recommended.
If this command is not enabled, the FQDN key pair is used.
Note
(Optional) Specifies a fingerprint that can be matched against the fingerprint of a CA certificate during authentication.
fingerprint ca-fingerprint Example:
Router(ca-trustpoint)#
Step 14
If the fingerprint is not provided and authentication of the CA certificate is interactive, the fingerprint will be displayed for verification.
Note
fingerprint 12EF53FA 355CD23E 12EF53FA 355CD23E
(Optional) Specifies that RSA keys will be created on the specified device upon autoenrollment initial key generation.
on devicename : Example:
Router(ca-trustpoint)# on usbtoken0:
Step 15
• Devices that may be specified include NVRAM, local disks, and Universal Serial Bus (USB) tokens. USB tokens may be used as cryptographic devices in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication to be performed on the token.
Exits ca-trustpoint configuration mode and returns to global configuration mode.
exit Example:
Router(ca-trustpoint)# exit
Step 16
Retrieves the CA certificate and authenticates it.
crypto pki authenticate name Step 17
Example:
Router(config)# crypto pki authenticate mytp
• Check the certificate fingerprint if prompted.
This command is optional if the CA certificate is already loaded into the configuration.
Note
Exits global configuration mode.
exit Example:
Router(config)# exit
Step 18
(Optional) Copies the running configuration to the NVRAM startup configuration.
Autoenrollment will not update NVRAM if the running configuration has been modified but not written to NVRAM.
Note
copy system:running-config nvram:startup-config Configuring Certificate Enrollment for a PKI
Configuring Certificate Enrollment or Autoenrollment
Purpose Command or Action
(Optional) Displays information about your certificates, including any rollover certificates.
show crypto pki certificates Example:
Router# show crypto pki certificates
Step 20